Lawfare Daily: Juliette Kayyem on the New Critical Infrastructure Memo

[Intro]

Juliette Kayyem: There will always be black swan events, but in some ways, you're kind of ready for them if you prepare for your sort of your generic high consequence events.

Matt Gluck: It's the Lawfare Podcast. I'm Matt Gluck, research fellow at Lawfare with Juliette Kayyem, professor of international security at the Harvard Kennedy School.

Juliette Kayyem: You know, you kind of wanna make our response capabilities as nurtured and mature as our prevention capabilities.

Matt Gluck: Today we're talking about the new national security memo on critical infrastructure and what reveals about the U.S. government's efforts to protect its most important domestic systems.

[Main Episode]

So, what leads to the release of the kind of document that we're talking about today?

Juliette Kayyem: Well, a lot of inter-agency discussions. I have been hearing about this document, National Security Memorandum 22, for some time. It reflects an update to a similar memorandum by the Obama administration on critical infrastructure.

A lot of it, and I don't mean this harshly, just it's just the way government works. Some of it is just sort of like belly button, you know, who's in charge and how are we thinking about this? But there are some fundamental shifts in, I think the Obama administration's orientation, substantively, and then, sort of bureaucratically, really does put the finger on the scale for CISA—the Cyber and Infrastructure Security Agency at DHS really does, sort of, you know, reinforce its authority in this realm.

Matt Gluck: So one focus of the memorandum, which I was happy to see, because of the conversation that we recently had, was this focus on preparation for disasters,

Juliette Kayyem: Yeah.

Matt Gluck: instead of just response after the fact. So could you talk a little bit about how the memo kind of shifts left of boom, that you can remind listeners what that concept?

Juliette Kayyem: Yeah. Thank you for quoting me to me. So I don't wanna over sell what's in this memorandum.

In particular, I've long thought that more enforceable regulations were necessary for critical infrastructure, but as you said, it does point in the right direction. And so when we talk about sort of boom moments, sort of, you know, left of boom is prevention and preparation and protection, these sort of things to stop the bad thing from happening and then right of boom is all, is response, recovery, and resiliency. Sort of you know, after the stuff hits the fan. And, critical infrastructure—so there's a couple things going on in the memorandum.

I think the first is it recognizes physical cyber-attacks in a very meaningful way so that this disjoint between, well there's cyber-attacks and then there's physical attacks that's reflected in all sorts of ways in government and the private sector, 'cause I work with both is really put to rest. And so the beginning parts of the memorandum really say, look, we know from the ransomware attacks, we know from attacks like, you know, incidents like Volt Typhoon, which is, you know, was basically infiltrating our critical infrastructure, that what, you know, a cyber-attack is actually a physical attack.

And I really like that sort of connectivity that the memorandum really understood. We have a, you know, I mean—literally we have, you know chief security, think about the private sector. You have chief security officers and then chief information security officers as if it weren't the same thing in most instances, or at least in critical infrastructure.

So, they really do focus on that and then give the lead for sort of what are the consequences of that and how to measure them to DHS. This is a, at DHS and I think that's, I think that's been a long time coming. You just can't, you can't think that, that any type of attack on this critical infrastructure is anything but a physical attack.

Matt Gluck: And so this linkage between cyber-attacks and physical attacks is, so this is it marks somewhat of a shift from prior policy?

Juliette Kayyem: Yes, it does. And it, I mean, the two big fundamental shifts—

One of them is, I think, just a greater understanding of the sort of connectivity of the two. And then part of that is just we're learning from ransomware attacks and what we know is going on with critical infrastructure so that it focuses the private sector on their responsibilities to have response plans and focuses DHS on sort of ensuring, without regulations, but sort of ensuring that they have those response plans. I should be clear here, there are some industries that do require them.

But I think the second piece was also, the second piece of the memorandum, substantively, was also a statement to the intelligence community, which tends to not want to share, 'cause Homeland Security remembers very funky for the intelligence community because you know, there's all sorts of rules as there should be, but sort of sharing intel information with a private industry is difficult—but we have an entire apparatus that exists for this.

The private critical infrastructure industry has people who are ready for this and so the second piece of the memorandum really focuses on the sharing of the intelligence with the private sector so that they can be ready.

Matt Gluck: I wanted to ask you about that. So one, the memo has eight guiding principles. One of them is this shared responsibility among federal actors, state actors, local actors, tribal leaders, territorial entities in the private sector. So, what does that collaboration look like, concretely, day-to-day?

Juliette Kayyem: Yeah.

So, sI mean, literally this was, I was assistant secretary for Intergovernmental, so I know the stakeholders. To understand DHS. It's not like other agencies in the sort of foreign policy warfare, as they say, you know, world. It's, you know, it is predominantly defensive in nature. It has responsibility with little authority. It has to work without chain of command. So it's not like we're talking about a, you know, a combatant command right?

We are, you know, I used to say there is no homeland, there's just 50 governors, right? I mean, you know, each with their own kingdom, you know, and then it's got territorial tribal cities and others, and then it has the private sector. And we're a unique nation, the extent to which our private—our infrastructure is held by the private sector with limited regulatory capacity or with limited regulatory oversight in this space. So, like, the airline industry has lots of oversight, but in terms of, in particular attacks on critical infrastructure, part of that was, you know, just built without us really thinking about it, that the, and that the regulations used to be around safety.

Are you—is the oil refinery emitting gases and the EEPA is pissed off, rather than security, right, which would just be, you know, basically protecting the entity from outside influences. That's how we sort of think about it. So it takes a lot of stakeholder engagement and that means the sharing of information.

Best practices carrots with fewer sticks, which is a challenge, making the market see and understand that the consequences of not doing so. So you can see that, with various previous examples of cyber-attacks on pipelines, the cost of ransomware as well as a attacks on the healthcare industry and others, so that you know, you wanna sell it as a business necessity rather than just an add-on, and you do that through a variety of means.

After Colonial Pipeline, the attack on—the ransomware attack on Colonial Pipeline, which resulted in a pipeline company closing its operations 'cause they didn't know what was happening, essentially, or just with precaution, right. That, it depends on who you talk to, but with, they said as precautionary for that industry, got more regulations, but we should be, you know, in an ideal world you should be able to do this without doing it critical sector, you know, after critical sector.

So that's essentially what it looks like. But it, I think, Biden's right in the memorandum that it really does begin with intel—it begins with his agencies, which is the shared responsibility, because then otherwise the companies can't figure out what their risk and vulnerability is and then how much they should put into both prevention planning, but also response planning.

Matt Gluck: Is your sense that at this point, I mean obviously the private sector is not monolithic, but is your sense that leaders in the private sector are starting to take these threats, both cyber and others, to critical infrastructure more seriously than they maybe have in the past?

Juliette Kayyem: I do. I think part of that, it may, and people on different sides of ideologies will argue, you know, the market will fix itself and others will say, well, it will take regulations. I think honestly, the memorandum sort of punts on this a little bit, you know, saying that, you know, oversight entities have a responsibility to prioritize establishing and implementing minimum requirements without the White House actually saying what those are.

I do, I work a lot with the private sector, I will say some of it is legal liability. A lot of it is reputational and that's gonna drive them. These are things that companies really—they can withstand, but they can't withstand too many times if they get attacked and if they seem irresponsible in how they respond, I always say in, you know, the companies, especially in the private sector, they're not judged whether—they're judged based on their vulnerability, the crisis happened, but also then they're judged on their response.

And I think that the more that we can show the benefits of preparedness in not, you know, in minimizing the losses.

The last time we talked, and, you know, my mantra is, fail safer, right? In other words, minimizing the losses, the better off we are. I think too much of our critical infrastructure is just—isn't integrating the cyber with the physical consequences.

So a ransomware attack is an attack on the pipelines. I'm not saying go into war over it, but I'm saying it's just, you've gotta conceive of it this way because it could make your pipelines or whatever it is vulnerable. But certainly, also that there are techniques that companies can go through to, to make the assault or whatever it is, less bad, right, in other words. And then, and that's your resiliency. That's what resiliency looks like.

So that's where I think that this memorandum gets, it, gets it right, even though, you know, it's, doesn't have a, it doesn't have a lot of regulatory teeth. It has, I think, a lot of important statements about how we should all be thinking about this, both in the public and the private sector.

Matt Gluck: One of the other principles is this risk-based approach that you've spoken about and written about a lot, and one of the components of that is prioritizing critical infrastructure that is more closely tied to national security. It would seem to me that most critical infrastructure is national security.

Juliette Kayyem: Yeah.

Matt Gluck: So what are the pieces of critical infrastructure that are seen as more closely tied to national security than others?

Juliette Kayyem: So, in one way, I mean, I agree with you in one way, or I agree with you on this instance, that a disruption of our critical infrastructure—so think of something even just like water—will be narrated by our enemies to show our vulnerabilities.

So it might not be a sophisticated attack, it might not be—it's just you know, if you can't turn on the electricity, you know, if you have rolling blackouts or whatever it is, it's hard to say that you are you're showing strength to the outside world. So I do think in all instances, critical infrastructure is that.

But I mean, I am, you know, we talked about, we've talked about this before you know, if your grid, if you can't communicate about where to move assets in a crisis, in other words, if your communications, and telecommunications ,and signal communications are down, everything else becomes a lot harder. So I'm not gonna prioritize them, but I certainly know in any generic crisis, if your ability to both absorb information so you know where to deploy resources and communicate information to those who are impacted, that's your sort of worst case scenario.

I will say things I, like, that you know, seem familiar from what I write and I've written in my book, is they are very focused on risk assessments. They are very focused on consequences. I don't mean that as a way to ignore the black swan event and you know, that's the, for people who don't know this, that's the low probability, high consequence event. But as I've written in my books and elsewhere. We really need to focus on consequences that likelihood is just, it's hard to gauge, especially in an all-hazards world, right?

So, one of the things that the memorandum does is, well, we, you and I are talking in the world of attacks, it actually talks about all threats and hazards. That's key. Because the wind can bring down a city, the tornado, the waters, anything can bring down a city as well. And so I like that approach.

So, a lot of us in the field are very much focused on sort of your high consequence events. There will always be black swan events, but in some ways, you're kind of ready for them if you prepare for your sort of your generic high consequence events.

I sometimes worry that, you know, the pursuit of the black swan event and all of our fabulous scenarios around AI and elsewhere sort of make us forget that there are, as Michelle Walker has said, there's just gray rhinos everywhere. We don't need to look for the black swans. There's rhinos, they're gray, they're everywhere, and they're scary, right? And that we don't need to be—to look for worse.

Matt Gluck: So you mentioned that some of these kind of large-scale risks posed by technological change, the memo talks about how certain technological and economic changes have created more interdependencies

Juliette Kayyem: Yeah.

Matt Gluck: among different critical infrastructure sectors. So could you first describe what are, what those interdependencies are, and then also if you could address how policy should change because they exist>

Juliette Kayyem: Yes. The perfect example is happening now. I can't believe it's not a banner headline all the time.

It's the UnitedHealth Group’s Change Healthcare. So, in terms of those interconnectivities, I'm gonna tell you a statistic that we'll be jaw dropping: a third of Americans now may have had, I'll be careful, there's no proof of it yet, but were potential victims of the data swept up in February's ransomware attack on Change Healthcare.

Now, those of you—to just take you back, Change Healthcare you've never heard of before, it is literally the company that serves as the bridge between me and my doctor, my CVS, my everything. It's just so, it's just like basically your information flow. One would've never viewed it as critical infrastructure because no one's ever heard of it before. We might view healthcare, access to healthcare—so people can't get prescriptions. You know, this is a huge stress on the industry.

So I think what the memorandum is making clear is, you know, it's not just your target—your specific targets. It's the companies that are supporting and enhancing the capacity of those targets, and I thought that was important. I mean, it's clearly in light of Change Healthcare. And honestly, this is the other thing, is you gotta get those companies serious. Serious because as far as we know now, the ransomware attack was due to a lack of multifactor authentication. The most basic freaking thing, you know, it's so frustrating.

But yeah, that is, that's what brings the system down. It wasn't an attack on a hospital, it was this just sort of bridge network.

Matt Gluck: So a lot of it has to do with the availability of data, is that right?

Juliette Kayyem: Yeah. Availability of data, situational awareness, and then capacity to respond with as few of losses as possible.

I am, as you we've talked enough, or I've talked enough with you guys that, you know, I just don't live in this world in which I'm hoping that I can prevent all bad things from happening. How I'm gonna judge successes is, you know, but for the investment, would things have been much worse, right? That's important to remember.

So, so what? How can we measure that investment? And that's how we have to begin to measure critical infrastructure response capabilities, we have to assume that they are vulnerable. We should make them less vulnerable, but they will be vulnerable. And then, but you know, you kind of wanna make our response capabilities as nurtured and mature as our prevention capabilities.

Matt Gluck: One of the vulnerabilities the memo addresses is the threats posed by foreign actors to our critical infrastructure. So we can think of Volt Typhoon, and the presence of CCP-linked actors in our circuits and routers, where they were preparing to potentially wage and attack if the time was right.

So I've been thinking recently in different contexts. The U.S., for a while didn't see, obviously, see China as the threat that it does today. Now the Biden administration, and even the Trump administration, have been more focused on the threat that China poses, but do you think that there are exploitable loopholes that Chinese actors might be able to—through which Chinese actors might be able to enter our systems that we didn't think about as saliently because we weren't as focused on the cyber threat from China, kind of left over from our old geopolitics.

Juliette Kayyem: Yeah.

Matt Gluck: You think that is still seeping into our maintenance of our critical infrastructure?

Juliette Kayyem: I think, I mean, people won't get mad at me this like—All of our focus is on TikTok. I get it. You know, I don't have TikTok for the same reason, and I'm sure, but I mean, seriously folks, I mean, like you, you think you think this is the only way that they're trying to amass power through networks and downloads and infiltration.

I will say for critical infrastructure, so we have the non-state actor threat. We have the non-man, we have the non-aggressive threats. So you have, you, I just don't want people to forget about climate and other challenges to it. You have mistakes and then, but in terms of state actors, you know, we worry about Iran, we worry about North Korea, but, and we worry about Russia.

But obviously I think if you thought about the future non-war conflict between China and the United States, it's gonna be in cyber-attacks, in particular, and critical infrastructure. I wanna say clearly I do not know the answer to this question, but obviously the Chinese will have some understanding of our capacity and their critical infrastructure.

One should never think that, just because they're doing it to us, we're not doing it to them. I don't know the answer to that question. I'm just saying that's how they're, that's how, what is keeping China from doing this is so they just clearly have a sense that we would have some capacity back.

You know, I wanna remind people about this 'cause I always find it one of the forgotten successes. There's many and knock on wood, they'll continue to be in the war in Ukraine.

The—Russia's attack on Ukraine is, remember that NATO was very clear that a cyber-attack by Russia on critical infrastructure in any of the of the NATO countries would be viewed as an Article 5 Duty to Respond violation. Now, the brilliance of that strategy was they never said what would rise to the level of a critical infrastructure attack. One has to assume something that ruined the waters, or, you know, that stopped, you know, running water in a city or electricity.

But I always thought that was something, you know, to the extent the memorandum does talk about international cooperation, there are ways to limit an adversary's capabilities. And I thought that was one, an interesting one, which is we will view a cyber-attack that has that kind of implications as attack on us. As if you were, you know, raining bombs on us.

Matt Gluck: Does that strategic ambiguity exist in our domestic security policy too, outside of NATO? In the critical infrastructure, cyber context.

Juliette Kayyem: I am beginning to, I think, answer that question differently now. I'm beginning to think that, you know, did I wake up every night worried about this or that ransomware?

Look, the insurance industry has regularized ransomware enough, I mean, as normalized in some way that a company can get insurance for a ransomware attack and be protected. My answer to that question now is I worry that there is too much ambiguity now and you're seeing the price increase, but you're also seeing an industry that—it is so weird to say this about a criminal industry—but a criminal industry that used to be semi-reliable, right?

In other words, they would get into the system, they wanted a certain amount of money. Once they got that money, they would get out of the system because they wanted reliability that they could go to the next one and the next one would do the same thing.

That reliability is gone, and I think the ambiguity we've been living in about things like ransomware probably should end. We have very few duties of disclosure. We have very, we don't even, we don't have a prohibition on paying it. We've sort of thought that it was something that we could just sort of handle as the normal course of business and I think that's proving to be wrong.

Matt Gluck: I noticed that the memo discusses the need to integrate security and resilience into our critical infrastructure related acquisition programs,

Juliette Kayyem: Yeah.

Matt Gluck: and the evaluation of foreign investment in the United States. But I didn't see any reference to the export of critical infrastructure materials.

So why is that? I know that we're very focused on export related restrictions foreign military and—

Juliette Kayyem: Yeah.

Matt Gluck: technological efforts. But so why does the government see those as separate from this critical infrastructure issue?

Juliette Kayyem: I mean, I think the short answer is 'cause of the dual use aspects of critical infrastructure.

So it's just, it's an F-22 doesn't have a dual use, right? Like I'm not wondering what's its civilian usage, right, where there's lots of materials, assets, knowledge, that in the critical infrastructure world, that is 95% unrelated to security, it might be related to safety, but really doesn't have any international security implications.

These are just, you know, they're pipes, right? Like the pipes just go in the water, right? And so, it is that, it's dual use functionality that makes it very difficult. So and so think about, compare it to bio, right? Anthrax has no dual use, right? I mean, another, unless you're looking for a cure for it. But it's not like going into the civilian market.

So you can heavily regulate, you know, what a Bio Lab Four looks like, or the export or the transport of anything like that fact, this is not true in critical infrastructure. I mean, you think about, honestly, it's like buses, right? I mean, when you think about transportation, it's like the bus the dinky MBTA buses that I look at when I ride my bike to work in Boston.

It's, that's the difference.

Matt Gluck: The memo requires the Secretary of Homeland Security to issue a national infrastructure risk management plan every two years, which the memo says, should focus on risks to individual sectors and also cross sector risks. What, in your view, would be a successful plan?

Or what should a successful plan or an effective plan include?

Juliette Kayyem: Well, I think the most important thing now, just given sort of the nas—it's not that nascent—nut the relatively nascent nature of this is just really clearly defining the roles and responsibilities of various agencies in the same way that, in this space, is the same way that say the homeland security presidential directives did after 9/11. You know, is this an FBI thing? Is this a DHS thing? Is this a DOD thing?

And then a maybe second wave would be then begin a regulatory process of more than carrots that would bring these companies to at least a basic floor of not just prevention, but also response preparedness should something happen. And so I think that is key.

And then the third piece, I guess, I would say is that intelligent sharing component is to make sure that while we're demanding or requesting things of critical infrastructure, we're also delivering what the federal government's value add is, which is we just know more things on an intelligence side than states, localities, territories, tribes, private sector, especially in critical infrastructure, and to continue to share that.

That's what I think, I mean, I think that's what they're trying to do with some of the limitations that we have. I, you know, I think it's a, I think it's a strong memo. I really like the pieces that we talked about in particular about intelligence and the cyber physical changes the, you know, risk focusing on consequences as much as probability and some of the other attributes in it.

But it's a challenge for, to do that in a world that doesn't really have a lot of legislative teeth in it. And that may be the next wave depending on what happens.

Matt Gluck: All right. We'll have to leave it there. Juliette, thank you so much for joining us.

Juliette Kayyem: Thank you so much. I'll talk to you soon, I am sure.

[Outro]

Matt Gluck: The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website, lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters.

Please rate and over us wherever you get your podcasts. Look out for other podcasts, including Rational Security, Chatter, Allies, and the Aftermath, our latest Lawfare Presents podcast series on the government's response to January 6th. Check out our written work at lawfaremedia.org.

The podcast is edited by Jen Patja and your audio engineer this episode was Cara Shillenn of Goat Rodeo. Our theme song is from Alibi music.

As always, thanks for listening.